3.9.2 has a weight of -5 points

System Security Plan (SSP) – Control 3.9.2

Control Identifier: 3.9.2

Control Title: Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.

Control Description: This control focuses on safeguarding Controlled Unclassified Information (CUI) during and after personnel actions such as terminations and transfers. The organization ensures that thorough out-processing steps are taken to prevent departing employees from having unauthorized access to CUI. This includes HR notifications, disabling system accounts, collecting system-related property, conducting exit interviews, and updating security systems as necessary.

Current Implementation:

• The organization has established a comprehensive process for protecting CUI during and after personnel actions. The process involves collaboration between various departments, including HR, Facility Security Officer (FSO), Equipment Custodian, and other company representatives.

• Key aspects of the current implementation include HR notifications, immediate termination of system access, password resets, updating physical security systems, and escorting departing employees out of the building.

• All access, including computer systems and physical building access, is promptly removed upon personnel actions, such as terminations. Departing employees are escorted out of the building, and personal items are collected by security officers and managers.

• Notably, departing individuals are not permitted to clean out their computer systems, mobile devices, or offices. All these tasks are carried out by authorized staff members to ensure the security and integrity of CUI.

• The procedures and policies governing these actions are documented in the organization’s Employee Handbook, ensuring that all employees are aware of the strict security protocols in place during personnel actions.

Protection of CUI During Personnel Actions:

• The organization recognizes the importance of protecting CUI during personnel actions, including terminations and transfers. This includes returning system-related property, conducting exit interviews, and reminding departing individuals of nondisclosure agreements.

POA&M (Plan of Action and Milestones):

1. Review of Exit Procedures:

• Description: Review and update exit procedures to ensure that they align with the current requirements for protecting CUI during and after personnel actions, emphasizing the role of authorized staff in cleaning out personal items.

• Responsible Party: HR Department

• Target Completion Date: MM/DD/YYYY

2. Documentation Update:

• Description: Update documentation, including the SSP and Employee Handbook, to reflect the organization’s commitment to protecting CUI during personnel actions and the specific procedures for securing personal items.

• Responsible Party: IT Documentation Team

• Target Completion Date: MM/DD/YYYY

3. Employee Training:

• Description: Provide training to employees, especially those in HR and management roles, regarding the importance of protecting CUI during personnel actions and the specific procedures outlined in the Employee Handbook.

• Responsible Party: Training and Development Team

• Target Completion Date: MM/DD/YYYY

4. Exit Interview Process:

• Description: Review and enhance the exit interview process to ensure that departing employees understand security constraints, including the prohibition of self-cleaning, and the return of system-related property.

• Responsible Party: HR Department

• Target Completion Date: MM/DD/YYYY

5. Physical Security Updates:

• Description: Ensure that physical security systems are promptly updated to reflect changes in access permissions and building security requirements during personnel actions.

• Responsible Party: Facility Management Team

• Target Completion Date: MM/DD/YYYY

6. Continuous Monitoring:

• Description: Implement a continuous monitoring process to track compliance with CUI protection during personnel actions, including the strict adherence to procedures regarding personal item collection as outlined in the Employee Handbook.

• Responsible Party: IT Security Team

• Target Completion Date: Ongoing

Completion Criteria: Each POA&M item should be completed as per the target completion date. The responsible parties should ensure that the control is effectively implemented and continuously monitored.

Review and Reporting: The organization’s IT Security Team will provide regular progress updates and reports to the senior management team regarding the status of the POA&M items and the overall effectiveness of the control.

Signature: [Authorized Official]

Date: MM/DD/YYYY

Termination and Personnel Actions Policy

1. Introduction

At [Your Company Name], we are dedicated to safeguarding Controlled Unclassified Information (CUI) and maintaining the highest level of security during personnel actions, including terminations and transfers. This policy outlines our procedures and protocols to ensure the protection of CUI and the security of our systems and facilities during and after such actions.

2. Responsibilities

• Human Resources (HR): HR will promptly initiate personnel actions and notify relevant departments, including the Facility Security Officer (FSO), IT, Equipment Custodian, and other company representatives, as necessary.
• Facility Security Officer (FSO): The FSO will oversee the implementation of security measures during personnel actions and ensure compliance with relevant security protocols.
• IT Department: IT will immediately terminate system access, reset passwords, and update physical security systems as needed.
• Security Officers and Managers: Authorized security officers and managers will escort departing employees out of the building and collect system-related property.

3. Protection of CUI During Personnel Actions

3.1 HR Notifications

Upon initiation of a personnel action, such as termination or transfer, HR will promptly notify the relevant departments to initiate the security procedures.

3.2 Immediate Termination of System Access

To prevent unauthorized access to CUI, IT will immediately terminate system access for departing employees, including disabling user accounts and resetting passwords.

3.3 Updating Physical Security Systems

Physical security systems will be updated to reflect the change in personnel status, ensuring that access to our facilities is controlled and restricted as needed.

3.4 Escorting Departing Employees

Upon personnel actions, such as terminations, departing employees will be escorted out of the building by authorized personnel to prevent unauthorized re-entry.

3.5 Collection of System-Related Property

To maintain the security and integrity of CUI, departing individuals are not permitted to clean out their computer systems, mobile devices, or offices. Authorized staff members will handle the collection of system-related property, including hardware and storage devices.

3.6 Exit Interviews

Exit interviews will be conducted with departing employees to discuss nondisclosure agreements, security obligations, and to collect any company property in their possession.

3.7 Return of Company Property

Departing employees must promptly return all company property, including computer systems, mobile devices, access badges, keys, and any other items issued to them.

3.8 Access Revocation

Access to all company systems, including computer accounts, email, and building access, will be revoked immediately upon the initiation of personnel actions.

3.9 Confidentiality Obligations

Departing employees are reminded of their confidentiality obligations and the importance of not disclosing sensitive information, even after their departure.

3.10 Contacting HR for Terminations

For terminations, the firing manager is required to immediately contact HR, who will then initiate the necessary security measures. HR will subsequently contact IT and the Facility Security Officer (FSO) to ensure the prompt implementation of security protocols.

3.11 Retrieval and Inventory of Personal Devices

Personal devices and physical access devices issued by the company will be retrieved and checked against inventory records to ensure all assets are accounted for during personnel actions.

4. Reporting Suspicious Activity

Employees are encouraged to report any suspicious or concerning behavior related to personnel actions. A clear process for reporting such incidents, including contact information for relevant security personnel, is provided.

5. Legal and Regulatory Compliance

This policy complies with all applicable federal and state laws, regulations, and industry standards related to personnel actions, data protection, and security.

6. Communication

Departing employees will be informed of security protocols and procedures during personnel actions through written notices and verbal communication.

7. Training

Personnel actions and security protocols are incorporated into our employee training programs to ensure that all employees are aware of the policy and receive training on their responsibilities during personnel changes.

8. Review and Updates

This policy will be reviewed regularly to assess its effectiveness and to make adjustments based on lessons learned and changes in regulations or technology.

9. Non-Retaliation Clause

Employees who report security concerns or violations related to personnel actions will not face retaliation or adverse employment actions for doing so.

10. Conclusion

At [Your Company Name], we take the protection of CUI seriously. Our Termination and Personnel Actions Policy is designed to ensure that CUI remains secure and confidential during and after personnel changes. We appreciate the cooperation of all employees in upholding these security measures and maintaining the trust of our clients and partners